Summary

This web page is dedicated to GeMSS: a Great Multivariate Signature Scheme. GeMSS is a multivariate
based signature scheme producing small signatures. It has a fast verification process, and a medium/large public-key.
GeMSS is in direct lineage from the multivariate signature scheme QUARTZ. Thus, GeMSS is built from the Hidden
Field Equations cryptosystem (HFE) by using the so-called minus and vinegar modifiers, i.e. HFEv-.
GeMSS is a faster variant of QUARTZ that incorporates the latest results in multivariate cryptography to reach higher security levels than QUARTZ whilst improving efficiency.

We have also submitted a variant, DualModeMS, which uses a generic technique permitting to transform any MI-based
multivariate signature scheme into a new scheme with much shorter public-key but larger signatures.

Specification (version of 11/30/2017)

Package of submission (version of 11/30/2017)

The full submission package (with the implementations) is available here.
The KAT files are here.

Updated implementation and KAT for D=513

The parameter D is incorrect in the submitted implementation. The value should be 513 and not 512. Here is explained how to modify D. The updated implementation is here and the KAT files for D=513 are here.

News

Improved implementation

09/20/2018. The measurements of an improved additional implementation have been added. This implementation is not yet available. For Skylake processors, we obtain a factor between 2 and 2.6 for the keypair generation, a factor between 1.3 and 1.6 for the signing process, and a factor between 1.8 and 2 for the verifying process.

09/27/2018. The measurements of our improved additional implementation are available for Skylake and Haswell processors.

Specification

01/11/2018. The size of the secret key is slightly incorrect, the values given are for D=512 instead of 513. Look the tables to have the corrected values.

01/11/2018. For the experimental measurements, turbo boost was enabled.

Correction of mistakes in the original implementation

01/11/2018. The parameter D is incorrect in the implementation. The value should be 513 and not 512. The update is done here.

Performance of the fastest implementations

Here are new measurements of performance of the additional implementation submitted to NIST. We corrected the parameter D in the implementation (513 instead of 512). We compare this corrected version to our new implementation. The measurements are the average on 1,000 keypair generations, 256 signatures and 1,000,000 verifications for the category of security 1, on 100 keypair generations, 256 signatures and 100,000 verifications for the category of security 3, and on 20 keypair generations, 256 signatures and 50,000 verifications for the category of security 5. In the tables, the original implementation is written in red.

Here are the theoretical and pratical sizes for keys and signatures. The correction of the parameter D induces minor modifications of the size of the secret key. As for the performance measurements, we compare the pratical size used by the NIST submission (written in red) to this of our new implementation. For the moment, we have improved only the size of the public key for GeMSS256.

Theoretical sizes of keys and signatures.

category of security

public key

secret key

signature

1 (128 bits)

352.188 kB

13.438 kB

258 bits

3 (192 bits)

1237.964 kB

34.070 kB

411 bits

5 (256 bits)

3040.700 kB

75.893 kB

576 bits

Pratical sizes of keys and signatures.

category of security

public key

secret key

signature

1 (128 bits)

417.408 kB

14.520 kB

384 bits

1 (128 bits)

417.416 kB

14.520 kB

384 bits

3 (192 bits)

1304.192 kB

40.280 kB

704 bits

3 (192 bits)

1304.192 kB

40.280 kB

704 bits

5 (256 bits)

3603.792 kB

83.688 kB

832 bits

5 (256 bits)

3046.856 kB

83.688 kB

832 bits

Acknowledgement

GeMSS has been prepared with the support of the French Programme d'Investissement
d'Avenir under national project RISQ P141580.